These days, it’s easier than ever to create a website – and a million reasons you should maintain one, whether for business or personal use. That’s probably why there are so many sites with glaring security vulnerabilities. You want to take the necessary precautions to ensure that yours isn’t one of them. Here’s how to start.
Regardless of your industry, your business needs a web presence. That’s not up for debate. Neither is the fact that if your website isn’t secure, it leaves your business open to a wide array of attacks – everything from site hijacks to code injection.
I’d like to go over some of the most common security failings I’ve seen with newer webmasters to make sure you avoid making them yourself.
Don’t Be Lax with Updates
Contrary to what Hollywood has you believe, most hackers aren’t experienced, hyper-capable black hats. They’re opportunists looking to make a quick buck. Consequently, most cyber attacks targeting websites are the digital equivalent of a smash-and-grab.
That is to say, they exploit well-known, well-documented vulnerabilities, most of which are already patched at the time the exploit occurs.
Just as a real-world criminal seeks out businesses vulnerable to theft, cyber-criminals try to target websites with un-patched security flaws. They’re counting on you being negligent with your updates. Don’t give them what they want.
Whenever a new patch comes out, apply it as soon as possible, especially if it’s a hot fix.
Protect Your Backend
Another distressingly common website vulnerability involves logins. When setting up your site, the very first thing you should do is change the username and password of the administrator account. That’s because one of the first things someone executing a brute-force attack will try is logging into your back end with default credentials.
Of course, even if you aren’t using default credentials, doesn’t mean you’re safe. You’ll also want some form of brute force protection – something that limits the number of failed login attempts (and preferably alerts you in the process). Finally, a strong password is a must.
Said password should meet the following criteria, according to tech site How-To Geek:
- At least 12 characters long, but ideally longer.
- Includes numbers, symbols, and standard text, both upper and lowercase.
- Doesn’t include an obvious combination of dictionary words, such as “This is a secure password.”
- Doesn’t rely on well-known substitutions, like 0 for O.
- Easy for you to remember. This is the one area where a lot of passwords tend to fall short. My recommendation is to use a random generator to create a string of completely unrelated words, tweak it a bit, and then memorize that combination via mnemonics.
Choose Your Add-ons Sparingly
Last but certainly not least, if you’re using a platform such as WordPress to build your site, you might be tempted to go overboard with plugins and themes. Be extremely careful. Each new component you add to your site represents an increase in your threat surface and another avenue through which an attacker might gain access.
More importantly, be extremely cognizant about where your add-ons come from. Be wary of ‘free’ premium plugins, as these almost inevitably contain some sort of backdoor that a savvy attacker will gleefully exploit. Download only from reputable sources – well-known developer websites, official plugin repositories, and theme libraries, and so on.
Keeping your website secure isn’t rocket science. It just requires a bit of due diligence and awareness of the threats you face. Follow the advice laid out here and use that as a foundation to be more conscientious, and ultimately more secure.